November 26, 2020

Volume X, Number 331


November 25, 2020

Subscribe to Latest Legal News and Analysis

November 24, 2020

Subscribe to Latest Legal News and Analysis

November 23, 2020

Subscribe to Latest Legal News and Analysis

Will CCPA Regulation Change Again?: Comment Deadline Looming

The California Attorney General recently released a third set of proposed modifications to the CCPA regulations. As we previously covered, the CCPA regulations were approved and went into effect on August 14, 2020. Many companies will likely be frustrated by the fact that new changes have been proposed again, just two months after the final version was approved. Companies have until October 28, 2020 to submit comments to the AG on the modifications.

Generally, the proposed modifications provide additional detail to the requirements for those companies selling information. They also address requirements related to the use of authorized agents for identity verification. The proposed modifications are summarized here, and seem to center on areas of confusion for many companies:

  • 999.306(b)(3) (Notice of Right to Opt-Out). Provides examples of how businesses that collect personal information from consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method. Specifically, brick-and-mortar stores may choose to print the notice on the paper forms that collect the personal information. They could also post signage in the area where the personal information is collected, directing consumers to where the notice can be found online.

  • 999.315(h) (Requests to Opt-Out). Provides guidance on how a company’s methods for submitting requests to opt-out should be easy and require minimal steps. It includes some examples of methods that would have a “substantial effect of subverting or impairing a consumer’s choice to opt-out.” For example, a process that requires consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their choice. Or, if clicking on the “Do Not Sell My Personal Information” leads consumers to a page that requires them to scroll through a privacy policy or other webpage to find the mechanism for opting out.

  • 999.326(a) (Authorized Agents). Clarifies the proof a business may require from an authorized agent to verify a request, as well from a consumer.

  • 999.332(a) (Notice to Consumers Under 16). Clarifies that businesses subject to either section 999.330 (those selling information of consumers under 13), section 999.331 (those selling information of consumers 13 through 15) or both of these sections, must include a description of the processes in those sections in their privacy policies.

Putting it Into Practice. The timing of these proposed changes could suggest areas where the AG is focusing from an enforcement perspective. Companies have until October 28 to submit comments, which the AG has asked be confined only to these proposed changes.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 293



About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...